PHPGurukul Apartment Visitors Management System CVE-2025-7817
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in PHPGurukul Apartment Visitors Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /bwdates-reports.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the visname parameter in /bwdates-reports.php, executing arbitrary JavaScript in victim browsers when user interaction occurs. Publicly available exploit code exists; EPSS score of 0.05% indicates low real-world exploitation probability despite public POC availability.
Technical ContextAI
This is a reflected cross-site scripting vulnerability (CWE-79) in a PHP-based apartment management application. The vulnerable endpoint /bwdates-reports.php fails to properly sanitize or validate the visname HTTP POST parameter before rendering it in the HTTP response. The HTTP POST Request Handler component does not encode user-controlled input destined for HTML context, allowing attackers to inject script tags or event handlers. The vulnerability exists in PHPGurukul's apartment management suite, which is a PHP application commonly used in property management scenarios.
RemediationAI
No vendor-released patch has been identified at time of analysis. Organizations using this product should immediately upgrade to a patched version if available from the vendor, or contact PHPGurukul at phpgurukul.com for security updates. As compensating controls, implement HTML entity encoding on all user inputs before output in /bwdates-reports.php (specifically the visname parameter), apply input validation to reject special characters in the visname field, and deploy a Web Application Firewall (WAF) with XSS detection rules to filter malicious script injection attempts. Additionally, enforce Content-Security-Policy (CSP) headers to restrict inline script execution, which mitigates stored and reflected XSS impact even if input validation is bypassed-note this may require application modifications and testing to avoid breaking legitimate functionality.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today